How-to

Connecting Microsoft 365 for outbound email

Send HR emails from your own corporate domain instead of a Blankitt no-reply address. The setup requires a small amount of Azure admin work; this walks through it.

2 min readLast updated 25 May 2026
Jump to section

Why connect Microsoft 365

By default, Blankitt HR sends emails (invites, leave approvals, signature requests, payroll notifications) from a Blankitt-managed sender. Connecting your Microsoft 365 lets them come from your own corporate domain — e.g. hr@yourdomain.com — which is what most employees expect.

What you'll need

Someone with admin rights to your Microsoft 365 tenant (the Azure portal). The setup takes about 10 minutes.

Step 1 — Register an application in Azure

  1. Sign in to portal.azure.com
  2. Go to Microsoft Entra ID > App registrations > New registration
  3. Name: something memorable like "Blankitt HR email"
  4. Supported account types: "Accounts in this organisational directory only"
  5. Leave the Redirect URI blank
  6. Click Register
  7. From the app overview, copy:
    • Application (client) ID
    • Directory (tenant) ID

Step 2 — Grant permission to send mail

  1. In the app, go to API permissions > Add a permission
  2. Pick Microsoft Graph > Application permissions > Mail.Send
  3. Save
  4. Click Grant admin consent for [your organisation] — this is required for application permissions to work

Step 3 — Create a client secret

  1. In the app, go to Certificates & secrets > New client secret
  2. Give it a description and pick an expiry (the maximum is 24 months — set a calendar reminder to renew it before then)
  3. Click Add
  4. Important: copy the Value column immediately. You can't see it again after you navigate away.

Step 4 — Connect in Blankitt HR

  1. Open Settings > Email providers
  2. Click Microsoft 365 > Connect
  3. Paste the three values:
    • Tenant ID
    • Client ID
    • Client secret
  4. Set the From address — a licensed mailbox in your Microsoft 365 (e.g. hr@yourdomain.com). The mailbox must already exist and be licensed.
  5. Click Save and test. The system sends a test email to your admin address.
  6. If the test succeeds, click Activate

Security

Your client secret is stored encrypted. Blankitt staff can't read it back from our systems.

What if Microsoft 365 is down?

If your Microsoft 365 has an outage or hits a rate limit, Blankitt HR automatically falls back to a backup provider so your important emails (signature requests, invites) still go out. You won't notice unless you look at the email headers.

Renewing the secret

Client secrets in Azure expire — typically every 6, 12 or 24 months. Before yours expires, repeat steps 3 and 4 with a fresh secret, then activate. The old secret stops being used as soon as the new one is active.

Still stuck? Email support or open the support widget in the bottom-right.